CSP: Enable whitelisting of external JavaScript via hashes

third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp

Index: third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
diff --git a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
index c83d06108a60868de6f45062012304ba2d32e711..4f24043ee8b7764117b0b801f4b3757b971e79c5 100644
--- a/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp
@@ -496,12 +496,14 @@ bool isAllowedByAll(const CSPDirectiveListVector& policies,
 template <bool (CSPDirectiveList::*allowFromURLWithNonceAndParser)(
     const KURL&,
     const String& nonce,
+    const IntegrityMetadataSet& hashes,
     ParserDisposition parserDisposition,
     RedirectStatus,
     SecurityViolationReportingPolicy) const>
 bool isAllowedByAll(const CSPDirectiveListVector& policies,
                     const KURL& url,
                     const String& nonce,
+                    const IntegrityMetadataSet& hashes,
                     ParserDisposition parserDisposition,
                     RedirectStatus redirectStatus,
                     SecurityViolationReportingPolicy reportingPolicy) {
@@ -522,7 +524,7 @@ bool isAllowedByAll(const CSPDirectiveListVector& policies,
   bool isAllowed = true;
   for (const auto& policy : policies) {
     isAllowed &= (policy.get()->*allowFromURLWithNonceAndParser)(
-        url, nonce, parserDisposition, redirectStatus, reportingPolicy);
+        url, nonce, hashes, parserDisposition, redirectStatus, reportingPolicy);
   }
   return isAllowed;
 }
@@ -699,6 +701,7 @@ bool ContentSecurityPolicy::allowPluginTypeForDocument(
 bool ContentSecurityPolicy::allowScriptFromSource(
     const KURL& url,
     const String& nonce,
+    const IntegrityMetadataSet& hashes,
     ParserDisposition parserDisposition,
     RedirectStatus redirectStatus,
     SecurityViolationReportingPolicy reportingPolicy) const {
@@ -710,7 +713,7 @@ bool ContentSecurityPolicy::allowScriptFromSource(
             : UseCounter::ScriptWithCSPBypassingSchemeNotParserInserted);
   }
   return isAllowedByAll<&CSPDirectiveList::allowScriptFromSource>(
-      m_policies, url, nonce, parserDisposition, redirectStatus,
+      m_policies, url, nonce, hashes, parserDisposition, redirectStatus,
       reportingPolicy);
 }
 
@@ -780,8 +783,9 @@ bool ContentSecurityPolicy::allowRequest(
     case WebURLRequest::RequestContextImport:
     case WebURLRequest::RequestContextScript:
     case WebURLRequest::RequestContextXSLT:
-      return allowScriptFromSource(url, nonce, parserDisposition,
-                                   redirectStatus, reportingPolicy);
+      return allowScriptFromSource(url, nonce, integrityMetadata,
+                                   parserDisposition, redirectStatus,
+                                   reportingPolicy);
     case WebURLRequest::RequestContextManifest:
       return allowManifestFromSource(url, redirectStatus, reportingPolicy);
     case WebURLRequest::RequestContextServiceWorker:
@@ -902,7 +906,8 @@ bool ContentSecurityPolicy::allowWorkerContextFromSource(
             m_policies, url, redirectStatus,
             SecurityViolationReportingPolicy::SuppressReporting) &&
         !isAllowedByAll<&CSPDirectiveList::allowScriptFromSource>(
-            m_policies, url, AtomicString(), NotParserInserted, redirectStatus,
+            m_policies, url, AtomicString(), IntegrityMetadataSet(),
+            NotParserInserted, redirectStatus,
             SecurityViolationReportingPolicy::SuppressReporting)) {
       UseCounter::count(*document,
                         UseCounter::WorkerAllowedByChildBlockedByScript);